[Freeipa-users] HBAC rule refreshes and read-only slaves
Jakub Hrozek
jhrozek at redhat.com
Fri Jun 8 05:53:33 UTC 2012
On Fri, Jun 08, 2012 at 11:22:59AM +1000, Cam McK wrote:
> Hello
>
> Thanks for an awesome product! I have two questions that I can't seem to
> find answers for...
>
> 1). How long is the delay between changing a HBAC rule and it coming into
> affect on the host machine?
> Currently this information only seems to be updated on the host after an
> 'service sssd reload/restart' also are the HBAC access rules are stored
> within LDAP Directory?
That shouldn't be the case, in fact, the HBAC rules should be refreshed
on each login. Maybe there's a misconfiguration on the client that makes
it go online and then the rules are evaluated from the cache.
Can you raise the debug level in the domain section of sssd.conf,
restart sssd and check for hbac-related debug messages in
/var/log/sssd/sssd_$domain.log ?
More information about the Freeipa-users
mailing list